The dangerous cost of ‘free’ Wi-Fi

If it seems too good to be true, it probably is. Free Wi-Fi is no exception to this adage. Security company Avast tested this theory by setting up a number of free fake Wi-Fi hotspots to see how many people would take the bait. They caught a lot of fish.

So you go to a political convention. Do a little politicking and listen to some speeches. While taking a break from the handshaking and schmoozing you decide to do a little work on your laptop. Then you get hacked.

During the Republican National Convention, IT security company Avast security set up fake Wi-Fi hotspots to see who would fall for their trick. As it turns out, a lot of people fell for it. Avast estimated more than 1,200 people logged into the fake hotspots, some with politically leaning names like "I VOTE TRUMP! FREE INTERNET," and "I VOTE HILLARY! FREE INTERNET," and some with an official ring to them like "Google Starbucks" and ATTWifi at GOP."

Of those, 68.3 percent exposed their identities.

This isn't a new trick for actual hackers, but a popular one in travel friendly spots, or big events. The Democratic National Convention and Olympics are expected to be breeding grounds for fraud.

"There are so many free applications and hardware devices available that almost anyone can do it," said Jerry Irvine, member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of Prescient Solutions.

We're suckers

The ease of creating a fake hotspot is one reason fraudsters keep doing it. "There are freely available tools that allow someone to easily turn their laptop into a Wi-Fi hotspot," said says Gary Davis, chief consumer security evangelist for Intel Security.

The other is that we keep falling for it. "There are so many free public Wi-Fi locations that users have become too comfortable joining them," says Irvine.

It's become such a part of our daily lives -- especially if we travel and are always looking for free Wi-Fi -- that we don't always question that any network, especially one with a name related to a specific event, is there for any other reason than to make our lives more convenient. Time is a factor, too -- and that we don't think we have enough of it to check, especially if we're trying to log on before going onto a zillion other things. "We are always in a hurry and often don’t take the time to consider if a Wi-Fi is malicious or fake. We tend to click on the top free link," says Davis.

The target

Here's what hackers are after if they get you to hook into their fake Wi-Fi network: Everything.

"First, hackers perform Man in the Middle (MitM) attacks, which allows them to copy 100 percent of all traffic that goes from the devices to and from the Internet," says Irvine. "Although some of this traffic may be encrypted if the user is using HTTPS when connecting to websites, much of the data is still readable."

Once in, they can do just about anything. "They can also use the connection to tunnel into your device to access files, drop malware and other bad things," says Davis.

From there, the world is their oyster, says Orlando Scott-Cowley, cyber strategist for Mimecast. "Your personal information, the services and apps you use and the types of devices you use are all easily detected during these attacks." And once they have this information, they have the keys to your kingdom – and will sell to anyone who will pay enough to own them.

Just consider what Avast found out while using its fake Wi-Fi hotspots: 38.7 percent of lures have Facebook or the Facebook messaging app; 13.1 percent accessed Yahoo Mail, 17.6 percent checked Gmail, and 13.8 percent used chat apps like WhatsApp, WeChat or Skype. If the hack had been real, scammers would have had gained access to any of those systems (.24 percent of users also logged into porn sites).

That's bad for you, but the stakes get even higher if you're on a work device and have sensitive information stored there.

The solution

For those who travel often and need Wi-Fi for their devices on the go, Davis recommends buying your own hotspot. That way, you know what you're connecting to, and it's always available when you need it so you don't go hunting around for some possibly unscrupulous other connection.

If opting for public Wi-Fi, he suggests picking a network that doesn't require a login -- and even then, don't do any kind of financial transactions on that connection.

You can also turn your cell phone into a hotspot, which, if there's 4G service available, makes the connection faster than some free Wi-Fi services, says Orlando.

If you're going to use a Wi-Fi hot spot that looks like it's tied to a location -- like one with the name of the coffee shop you're in, Scott-Cowley adds to ask the staff if it's really theirs.

Even if you don't travel, be careful about telling your computer to automatically log into any public Wi-Fi network. Because while you may always work at Revolution Roasters and use their Wi-Fi, Irvine says that someone could come in and set up a Wi-Fi network with a similar name, and your computer may not be able to tell the difference.

A VPN service will shelter the information going in and out of your device to public Wi-Fi. And protect your physical device too, advises Irvine. Sometimes it's easier to take a device or physically put malware onto it when you're not looking than to get in through an internet connection.

"Travelers should be conscious of hackers who will attempt to physically steal laptops, tablets and cell phones from luggage, hotel rooms or coffee shops when they are left unattended," he says. "Also, users should never insert CDs, disks or thumb drives they found into their devices. Hackers drop these items at public places specifically to get unsuspecting individuals to plug them into their devices in order to infect them."

So even if it looks like something from a travel bureau promising discounts don’t stick it into your device. You don't know where it's been.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.